Hi Kurt, As a random Internet volunteer, I've had a brief read of the report you're citing:
https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf and while it may sound concerning without context, it looks to me like a whole lot of nothing. The report appears to be entirely built around automated sandbox runs by Hybrid Analysis and Alienvault. There is no language that suggests Insikt ran or even obtained a copy of the software. They even give away that they don't understand what a sandbox does with their first finding: > This particular version of services.exe was first released by Microsoft on April 13, 2021, in a Windows 10 security update (KB5001337), indicating that the One Pass process infection chain may have been adapted since then to include this file as the initial loader. This actually only indicates that the Windows VM used for testing the sample was up to date. Most of the behaviour noted is typical of installation software, and only becomes concerning when the assumption is that the user did not consent to installation. Things that might not be obvious: - ActiveX support is not surprising for corporate convenience software or bundled drivers. - Renaming built-in utilities like regsvr32.exe can be a red flag in intrusion scenarios, but it's more likely a frozen copy of the Windows utility to avoid compatibility problems. - The network listener behaviour might be suspicious, but does not show up on the Alienvault report, and could be a mechanism for a UI to communicate locally to the update service. wmControl.exe is also likely a frozen copy of the Windows utility, as it appears on other Alienvault reports for One Pass as a console application, not a driver. - Proprietary antivirus software identifying it as something unrelated is almost always a false alert. In a similar way, the Alienvault detection of "Exhibits behavior characteristic of Nymaim malware" is due to it using a Windows feature to replace in-use files on restart. This is not to give the software a clean bill of health, but as you're aware, doing so would require in-depth investigation. Nothing in this report makes me think it'll be worth the time. Mark On Tue, 14 Mar 2023, 04:19 'Kurt Seifried' via [email protected], <[email protected]> wrote: > I haven't seen the software. But isn't it BJCA's job to prove they are > trustworthy? Shouldn't BJCA.cn have some simple answer in the form of "no > it's not spyware, and here's how we can easily and simply prove it." > > Why is this the responsibility of random Internet volunteers to prevent > Mozilla from being bamboozled into accepting an untrustworthy CA? Shouldn't > Mozilla be ensuring that root CA's are highly trusted and not involved in > spyware, like Trustcor apparently was? > > Also when it comes to spyware there are very few experts or groups that > can properly analyze this (e.g. Citizen Lab comes to mind). There isn't > some huge pool of people with a ton of spare time to track this down. > Witness involvement in this mailing list as a good example of how few > people are actually involved. > > > On Mon, Mar 13, 2023 at 9:26 PM Ben Wilson <[email protected]> wrote: > >> Kurt, >> I am a bit skeptical when I am only able to identify one report that is >> then repeated by other sources. Were you able to identify independent >> examinations of the v.2.x software other than the one by Insikt Group? >> Ben >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPyX2ne%3DcXir9o%2Bui%2BbtJCJ%3DfOXUF%3DdcnAZbNp0H86P2Jt13fQ%40mail.gmail.com.
